Chief Information Security Officers Support Continous Diagnostics and Mitigation Program

Department of Homeland Security official puts rumors to rest.

Chief information security officials from various agencies voiced support for the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) Program, which is designed to fortify computer networks across the federal government. The officials spoke out in support of the program while serving on a panel during the AFCEA Homeland Security Conference, Washington, D.C. Panel moderator John Streufert, director of Federal Network Resilience at the Department of Homeland Security, took the opportunity to put some rumors to rest.

Streufert said he had heard rumors being floated that major government agencies and departments were abandoning the Continuous Monitoring as a Service (CMAS) contract. "I can tell you there is no pattern of that happening," he declared. In fact, he said he expects additional requests for information for leap-ahead technologies and for additional team members to be chosen for the contract. "In my own mind, I believe there will be an urgent need for a second CMAS contract," he predicted.

He also said a second CDM task order will likely be awarded in June to address services and commodities to all departments and agencies.

Jeff Eisensmith, Homeland Security Department chief information security officer, said he sees CDM as an opportunity to provide a single operational picture across DHS, which was stitched together 10 years ago from a variety of departments and agencies. "What I see in front of me is a patchwork quilt with products of all shapes and colors. I see CDM as an opportunity of epic proportions," Eisensmith said, adding that the department intends to purchase CDM for the entire enterprise. "I'm supplying DHS with the same product, the same color so that we get a truly first-time common operating picture. It's a great opportunity."

The panel also discussed the Federal Information Security Management Act (FISMA), which requires departments and agencies to design and implement plans to secure all networks supporting their organizations, even if they do not own some of those systems. FISMA also requires progress reports every three years, reports that take up to nine months to complete, which means that by the time they are done, the threat situation has changed. Panel members complained about the "3-ring binders" associated with the FISMA checklist to the point that the phrase almost became a punch line.

Eisensmith reported that DHS has chosen to essentially buck the FISMA system. "Nobody likes the 3-ring binder. In these times of incredibly scant resources, I'm not willing to squander [resources] to just do a checklist," Eisensmith declared. "I'm going to focus on those things that cause a lot of pain and defocus on those things that are not causing a lot of pain." He added that if something is not important, "I'm not going to check that box every three years. That's a radical departure from the way FISMA has been done in the past."

He added that the approach prompted a discussion with officials at the Government Accountability Office, the White House and the National Institute of Standards and Technology. "We all partnered up and talked about ways to get away from the 3-ring binder," he reported.